I am running Splunk 5.0.1, am in a Windows workgroup enviornment, and have 2 Windows 2008R2 servers as indexers for redundancy (indexerA and B). What I am looking to do is to establish a process to, should one server go down, restore the index from the second server. Let's say indexer B goes down for a week and I am ready to bring it back up online this is the process that I would execute...
Indexer A - roll the hot dbs to warm by running the folling command:
Does this sound correct?
Ammend the above process to...
On indexer B create
log onto indexer A and map network drive to
copy contents of defaultdb from indexer A to indexer B
You could create a cluster as documented in:
http://docs.splunk.com/Documentation/Splunk/5.0.2/Indexer/Aboutclusters
Clusters are groups of Splunk indexers configured to replicate each others' data, so that the system keeps multiple copies of all data. This process is known as index replication. By maintaining multiple, identical copies of Splunk data, clusters prevent data loss while promoting data availability for searching.........
Lp
Thanks for your assistance lpolo but unfortunatley schedule does not allow me the time to implement clustering. I will definitley keep your advice in my pocket as a possible upgrade in the future.
The number of servers is determine by the replication factor.
For example, if you want to ensure that your system can handle the failure of two peer nodes, you must configure a replication factor of 3, which means that the cluster stores three identical copies of your data on separate nodes. If two peers go down, the data is still available on a third peer.
But if I am not mistaken you need at lease 4 or 5 servers for a cluster...I only have 2.